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Fur USB-Stecker hat die NSA-Abteilung ANT eine ganze Reihe von Computerwanzen im Angebot. Sie sind 
entweder als der USB-Anschluss einer Tastatur getarnt, Oder aber als eine Art USB-Verlangerungsstecker, 
unbemerkt zwischen Maus-, Keyboard- Oder einen anderen Anschluss und den Rechner selbst gesteckt wir 
Sie funken und empfangen entweder auf kurze Distanz ("Cottonmouth I") Oder aber, auf dem Umweg uber e 
weiteres Implantat, irgendwo im Rechner Oder im Raum, uber weitere Strecken ("Cottonmouth II", 
"Cottonmouth III"). Diese Implantate erlauben sowohl, den angezapften Rechner und sein Netzwerk zu 
uberwachen, als auch Befehle auf den Rechner und ins gekaperte Netz zu schicken. 

COTTONMOUTH-1 ist ein USB-Stecker-Implantat fur das Abfangen von Kommunikation, Injizieren von 
Trojanern etc. Es kann sich uber einen eingebauten Radiotransmitter mit anderen COTTONMOUTH- 
Implantaten verbinden. 

COTTONMOUTH-2 ist ein USB-Implantat, das die Fernsteuerung eines Zielsystems ermoglicht. Es wird an 
Funkmodul gekoppelt, das im Rechnergehause versteckt ist und Zugriffe aus groBerer Entfernung ermoglicl 

COTTONMOUTFI-3 ist ein USB-Implantat zum Aufbau eines verdeckten Kommunikationsweges uber 
Funkwellen mit Computern, die offline betrieben werden Oder bei denen ein Angriff uber die Netzschnittstelli 
nicht praktikabel ist. Es wird an ein Funkmodul gekoppelt, das im Rechnergehause versteckt ist und Zugriffe 
aus groBerer Entfernung ermoglicht Oder sich mit anderen COTTONMOUTH-Modulen in der Nahe verbinde 

FIREWALK ist ein Flardware- Implantat in der Form einer Ethernet- Oder USB-Buchse, das das Abfangen vo 
Daten und aktive Einschleusen von Angriffstools uber Funk erlaubt. 
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COTTONMOUTH-I 

ANT Product Data 



(TS//SI//REL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 
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(TS//SI//REL) CM-I will provide air-gap bridging, software persistence capability, “in-field" re- 
programmability, and covert communications with a host software implant over the USB. The 
RF link will enable command and data infiltration and exfiltration. CM-I will also communicate 
with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert 
channel implemented on the USB, using this communication channel to pass commands and 
data between hardware and software implants. CM-I will be a GENIE-compliant implant 
based on CHIMNEYPOOL. 

(TS//SI//REL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and 
HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. 
MOCCASIN is the version permanently connected to a USB keyboard. Another version can 
be made with an unmodified USB connector at the other end. CM-I has the ability to 
communicate to other CM devices over the RF link using an over-the-air protocol called 
SPECULATION. cottonmouth conop 
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Status: Availability - January 2009 Unit Cost: 50 units: $1,015K 



POC: 

ALT POC: 




, S3223, 
, S3223, 




•a>nsa. ic.gov 
ffinsa. ic.gov 



Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20320108 



TOP SECRET//COMINT//REL TO USA, FVEY 





TOP SECRET//COMINT//REL TO USA, FVEY 




COTTONMOUTH-II 

ANT Product Data 



(TS//SI//REL) COTTONMOUTH-II (CM-II) is a Universal Serial Bus (USB) hardware Host 

Tap, which will provide a covert link over USB link into a targets network. CM-II is intended 
to be operate with a long haul relay subsystem, which is co-located within the target 
equipment. Further integration is needed to turn this capability into a deployable system. 
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(TS//SI//REL) CM-II will provide software persistence capability, “in-field" re-programmability, 
and covert communications with a host software implant over the USB. CM-II will also 
communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants. CM-II will be a GENIE- 
compliant implant based on CHIMNEYPOOL. 

(TS//SI//REL) CM-II consists of the CM-I digital hardware and the long haul relay concealed 
somewhere within the target chassis. A USB 2.0 HS hub with switches is concealed in a 
dual stacked USB connector, and the two parts are hard-wired, providing a intra-chassis link. 
The long haul relay provides the wireless bridge into the target’s network. 

COTTONMOUTH - II (CM-II) CONOP 
ANT Covert Network Scenario 
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Status: Availability - September 2008 



POC: 

ALT POC: 
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COTTONMOUTH-III 

ANT Product Data 



(TS//SI//REL) COTTON MOUTH-1 (CM-I) is a Universal Serial Bus (USB) hardware implant, 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 




08 / 05/08 



(TS//SI//REL) CM-III will provide air-gap bridging, software persistence capability, “in-field” 
re-programmability, and covert communications with a host software implant over the USB. 
The RF link will enable command and data infiltration and exfiltration. CM-III will also 
communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants. CM-III will be a GENIE- 
compliant implant based on CHIMNEYPOOL. 

(TS//SI//REL) CM-III conceals digital components (TRINITY), a USB 2.0 HS hub, switches, 
and HOWLERMONKEY (HM) RF Transceiver within a RJ45 Dual Stacked USB connector. 
CM-I has the ability to communicate to other CM devices over the RF link using an over-the- 
air protocol called SPECULATION. CM-III can provide a short range inter-chassis link to 
other CM devices or an intra-chassis RF link to a long haul relay subsystem. 



COTTONMCHJTH CONOP 
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Status: Availability - May 2009 
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Unit Cost: 50 units: $1,248K 
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Declassify On: 20320108 
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FIREWALK 

ANT Product Data 



(TS//SI//REL) FIREWALK is a bidirectional network implant, capable of passively collecting 
Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same 
target network. 
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(TS//SI//REL) FIREWALK is a bi-directional 10/lOO/lOOObT (Gigabit) Ethernet network 
implant residing within a dual stacked RJ45 / USB connector. FIREWALK is capable of 
filtering and egressing network traffic over a custom RF link and injecting traffic as 
commanded; this allows a ethernet tunnel (VPN) to be created between target network and 
the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) 
FIREWALK allows active exploitation of a target network with a firewall or air gap protection. 
(TS//SI//REL) FIREWALK uses the HOWLERMONKEY transceiver for back-end 
communications. It can communicate with an LP or other compatible HOWLERMONKEY 
based ANT products to increase RF range through multiple hops. 
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- DC - DANDCRCPRIT. ipootz. IP & MAC Addr 
HM - HOWLERMOtKRY 
• LHR - Long Haul Relay 



Network 



(Intel not 
- or - 

FieldNet) 



I 

I 



Status: Prototype Available - August 2008 Un j t Co st: 50 Units $537K 
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